As more of our lives are spent online, we leave a larger digital footprint. Consumer information may be collected from websites and companies (sometimes without the consumer's knowledge).

As companies collect vast amounts of data, the risk of misuse or exposure grows. The CCPA ensures that transparency is the default, not the exception.

Lawmakers have taken notice, and through the CCPA intend to empower consumers to manage their personal information.

To understand the California Consumer Privacy Act overview, one must look at the specific rights the CCPA grants.

• Right to LIMIT the use and disclosure of sensitive personal information collected about them.

• Right to OPT-OUT of the sale of their personal information and the right to opt-out of the sharing of their personal information for cross-context behavioral advertising.

• Right to CORRECT inaccurate personal information that businesses have about them.

• Right to KNOW what personal information businesses have collected about them and how they use and share it.

• Right to EQUAL treatment. Businesses cannot discriminate against consumers for exercising their CCPA rights.

• Right to DELETE personal information businesses have collected from them (subject to some exceptions).

Business owners outside of California must still pay close attention to the language of the CCPA. It is a consumer-centric law, intended to protect all California residents. No matter the state where you are headquartered, if you collect data from California residents, the law may apply to your business.

The CCPA may also be the beginning of a new trend in privacy legislation. “Many states are really looking to this law as a model for privacy rights in the United States,” says General Counsel and Chief Compliance Officer, Lauren Valenzuela.

This is why businesses that may not be subject to the present law should still pay close attention to the CCPA.

As privacy becomes of greater concern, other states are likely to follow California in passing similar protections. There is even a possibility of federal legislation around this subject in the future.

There are a few instances in which the CCPA does not apply.

The CCPA does not apply to non-profits or certain types of information already governed by federal laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit Reporting Act (FCRA).

However, since most debt collection activities involve a mix of data types, it is important to evaluate compliance with your organization’s legal counsel.

The following scenarios describe organizations that may not need to adhere to the CCPA:

• Non-Profit Organizations

• Commercial activity if every aspect of that activity takes place outside of California (e.g., business collected information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold).

• Health information, whether it's protected health information or not, that is maintained by a health care provider or a HIPAA-covered entity.

• Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.

• Sale of personal information to/from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report, and use of that information is limited by the federal Fair Credit Reporting Act.

Even if your business is not headquartered in California, you should understand the CCPA. The law applies to any for-profit business that collects data from California residents and meets one of these criteria:

• Annual gross revenue exceeds $25 million.

• Annually buys, receives, or shares the personal information of 100,000 consumers, households, or devices.

• Derives 50 percent or more of its annual revenues from selling consumer personal information.

Note: In the debt collection space, some agencies meet the 100,000-record threshold simply by managing a high volume of accounts involving California residents.

Consumer: Natural person who is a California resident.

Business: A sole proprietorship, partnership, LLC, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, that does business in the State of California, and that satisfies one or more of the above thresholds.

Collects, Collected, or Collection: Buying, renting, gathering, obtaining, receiving, or accessing any personal information about a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

Commercial Purposes: To advance a person’s commercial or economic interests, such as by:

• Inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services.

• Enabling or affecting, directly or indirectly, a commercial transaction.

“Commercial purposes” do not include the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

The CCPA creates new consumer rights and imposes obligations on businesses regarding the collection, use, and sharing of personal data.

Key consumer rights include the right to limit use, opt out, correct, know, receive equal treatment, and delete information. Businesses must offer:

• Transparency: Companies must provide clear notice at or before the point of collection about what data is being gathered and for what purpose.

• Security: Businesses must implement reasonable security practices to protect personal information from unauthorized access or breaches.

The CCPA applies to for-profit businesses that do business in California and meet at least one of the following three thresholds: annual revenue above $25 million, deal with more than 100,000 households’ data, or derive 50% of revenue from data.

Note: The law also applies to entities that control or are controlled by a covered business and share common branding. It generally does not apply to non-profit organizations or government agencies.

Final Summary: The California Consumer Privacy Act (CCPA) represents a major shift in how companies must handle consumer data.

By understanding this California Consumer Privacy Act summary, organizations can build safer processes for managing consumer data.

Navigating privacy laws like the CCPA is just one step in securing your business.

Subscribe to the PDCflow blog for weekly insights on payment strategies, esignature tech, and compliance updates designed to help you master the final mile of the customer journey.